The United Airlines frequent flyer web site can be easily hacked to reveal passenger flight information thanks to, simply put, of shoddy programming logic (emphasis added):
“An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass,” Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.
When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.
MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.
There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.
“This is the same type of vulnerability that weev [Andrew Auernheimer] was incarcerated over and yet as a penetration tester I have seen this type of vulnerability a lot,” Justin Seitz, author of two Python hacking books, said in an email. “Numerous mobile APIs that were never designed to see the light of day can be mined for information using 10 line Python scripts like you see in that proof of concept.”